eric-forte-elastic
38 lines
1.2 KiB
Python
38 lines
1.2 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
from pathlib import Path
|
|
|
|
from . import RtaMetadata, common
|
|
|
|
metadata = RtaMetadata(
|
|
uuid="29eb99a6-14cc-4d37-81dd-c2e78cda8c74",
|
|
platforms=["windows"],
|
|
endpoint=[],
|
|
siem=[{
|
|
'rule_id': '6cd1779c-560f-4b68-a8f1-11009b27fe63',
|
|
'rule_name': 'Microsoft Exchange Server UM Writing Suspicious Files'
|
|
}],
|
|
techniques=['T1190'],
|
|
)
|
|
EXE_FILE = common.get_path("bin", "renamed_posh.exe")
|
|
|
|
|
|
@common.requires_os(*metadata.platforms)
|
|
def main():
|
|
proc = "C:\\Users\\Public\\UMWorkerProcess.exe"
|
|
path = "C:\\Users\\Public\\Microsoft\\Exchange Server Test\\FrontEnd\\HttpProxy\\owa\\auth\\"
|
|
argpath = "C:\\Users\\Public\\Microsoft\\'Exchange Server Test'\\FrontEnd\\HttpProxy\\owa\\auth\\"
|
|
common.copy_file(EXE_FILE, proc)
|
|
Path(path).mkdir(parents=True, exist_ok=True)
|
|
file = argpath + "\\shell.php"
|
|
|
|
common.execute([proc, "/c", f"echo AAAAAAAA | Out-File {file}"], timeout=10, kill=True)
|
|
common.remove_files(proc)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
exit(main())
|